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DETAILED ACTION 

1. Claims 1-2, 4-10, 12-19, 21-22, 28-35, 41-42, 45-47 and 49-56. 

Response to Arguments 

2. Applicant's arguments with respect to claims 1-2, 4-10, 12-19, 21-22, 28-35, 41-42, 45- 
47 and 49-56 have been considered but are moot in view of the new ground(s) of rejection. 

Claim Rejections - 35 USC §103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

3. Claims 1, 2, 6-10, 14-19, 21-22, 41 and 54-56 rejected under 35 U.S.C. 103(a) as being 
unpatentable over Porras et al., (Porras), U.S. Patent No. 6,704,874 in view of Shostack et al. 
(Shostack), U.S. Patent No. 6,298,445 and further in view of Schneier et al. (Schneier), U.S. 
Patent No. 7,159,237. 

As per claims 1 and 17: 

Porras substantially teaches a method comprising: 

detecting possible security problems at two or more client locations (3:16-41); 
transmitting notice of the possible security problems from the two or more client locations 
across a network to a home location remotely located from the two or more locations (3:36- 
41); 
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determining at the home location an anomaly at one of the client locations based on an 
analysis of at least the possible security problems at the two or more client locations (5:63-6:33); 
and 

transmitting notice of the anomaly in real time to the client locations (6:34-37). 

Porras fails to teach performing the above steps in real time. However, Shostack 
discloses a real-time intrusion detection system that detects security problems, analyzes and 
alerts users (6:53-65). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

Porras and Shostack fail to teach updating security data to include information about a 
new anomaly. However, Schneier discloses receiving updated security data that includes a new 
intrusion (5:19-43). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to update security data about new intrusions in order to help in identifying intrusions in 
a client's system as taught by Schneier (2:44-58). 

As per claim 9, this is a computer readable medium version of the claimed method 
discussed above in claim 1 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

As per claim 2: 
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Shostack further discloses a method further comprising transmitting notice of the 
anomaly in real time to other client locations that may communicate with the home location over 
the network (6:58-59, wherein information about the network status includes anomalies found). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claim 10, this is a computer readable medium version of the claimed method 
discussed above in claim 2 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

As per claim 6: 

Shostack further discloses a method in which the anomaly includes unauthorized access 
to the network (4:64-67; 5:1, wherein this is an example of a security vulnerability (4:47-48) and 
the security vulnerabilities function as anomalies). 

As per claim 14, this is a computer readable medium version of the claimed method 
discussed above in claim 6 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claim 7: 
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Shostack further discloses a method in which the anomaly includes unauthorized access 
of a resource accessible through the network (5:1-4, wherein the program library is a network 
resource). 

As per claim 15, this is a computer readable medium version of the claimed method 
discussed above in claim 7 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claim 8: 

Shostack further discloses a method in which the anomaly includes unauthorized use of 
resources available through the network (6:10-13, wherein seeing the disk is using a network 
resource). 

As per claim 16, this is a computer readable medium version of the claimed method 
discussed above in claim 8 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claim 18: 

Shostack further discloses a method further comprising transmitting notice of the 
existence of the anomaly in real time from the home location to the remote client locations (7:57- 
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63, wherein the software enhancement being sent is the notice of the security vulnerability, 
which functions as the anomaly). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claim 19: 

Shostack further discloses a method further comprising notice of the existence of 
transmitting the anomaly in real time from the home location to other remote client locations that 
may communicate with the home location over the network (6:58-59, wherein information about 
the network status includes anomalies found). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claim 2 1 : 

Shostack further discloses a method of claim further comprising transmitting information 
from the home location to the remote client locations to help the remote client location identify 
possible security problems (13:7-9, wherein the database updates to the security vulnerabilities 
helps to identify possible security problems). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claim 22: 
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Shostack further discloses a method further comprising determining the existence of the 
anomaly based on at least information regarding previous anomalies (9:56-63, wherein the 
database contains a log of all of the previous security vulnerabilities which function as 
anomalies). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claim 41: 

Shostack discloses a method comprising: 

detecting a possible security problem at a client location (3:16-41); 

transmitting notice of the possible security problems across a network to a home location 
remotely located from the client locations (3:36-41); 

determining, at the home location, an anomaly at one of the locations based on the 
possible security problems by searching for particular information in the anomaly, the particular 
information including at least one of a network address previously noted as a security problem 
and a particular query or command associated with a known intrusion pattern or technique, in 
which detecting possible security problems at the two or more client locations (5:63-6:33, 5:28- 
44); and 

transmitting notice of the anomaly in real time to the client locations (6:34-37). 

Porras fails to teach performing the above steps in real time. However, Shostack 
discloses a real-time intrusion detection system that detects security problems, analyzes and 
alerts users (6:53-65). 
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It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 

As per claims 54-56: 

Schneier discloses modifying security procedures in response to an anomaly and 
detecting further possible security problems using security data and transmitting the notice of the 
possible security problem to a home location and determining a real security problem at the 
client location based on the security data in real time (5:19-43). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to update security data about new intrusions in order to help in identifying intrusions in 
a client's system as taught by Schneier (2:44-58). 

4. Claims 28, 30 and 32-34 rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shostack et al. (Shostack), U.S. Patent No. 6,298,445 in view of Porras et al, (Porras), U.S. 
Patent No. 6,704,874 and further in view of Schneier et al. (Schneier), U.S. Patent No. 
7,159,237. 

As per claim 30: 

Shostack substantially teaches a system comprising: 
a server (9:10); 

for each of the client terminals, 

a first client mechanism accessible by the client terminal to detect a possible security 
problem at the client terminal (6:43-46, wherein an intrusion is a possible security problem), 



Application/Control Number: 1 0/0 1 0,743 Page 9 

Art Unit: 2132 

a second client mechanism accessible by the client terminal to transmit notice of the 
possible security problem across a network in real time to a server remotely located from the 
client terminal (6:53-57, wherein sending an alarm functions as transmitting notice of the 
possible security problem), and 

a third client mechanism accessible by the client terminal to receive updates from the 
server in real time regarding security problems that the first client mechanism may use in 
detecting possible security problems (7:57-63; 9:10-21, wherein the client receives the software 
enhancement updates which function as updates from the server about security problems); 

determining an anomaly continuously in real time (7: 15-16, wherein the security 
vulnerabilities function as anomalies and the local server is the home location); and 

a second server mechanism accessible by the server to transmit notice of the anomaly in 
real time over the network to the client terminals (7:57-63; 9:10-21, wherein the software 
enhancement being sent is the notice of the security vulnerability, which functions as the 
anomaly). 

Shostack fails to teach determining an anomaly at one of the client terminals based on at 
least information received from the two or more client terminals regarding possible security 
problems. However, Porras discloses determining an anomaly based on alerts of possible 
security problems received from two or more clients (5:63-6:35). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to determine an anomaly based on possible security problems at two or more clients 
because this would allow detection of nominally different alerts may actually represent a single 
intrusion incident as taught by Porras (6:5-12). 
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Shostack and Porras fail to teach updating security data to include information about a 
new anomaly. However, Schneier discloses receiving updated security data that includes a new 
intrusion (5:19-43). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to update security data about new intrusions in order to help in identifying intrusions in 
a client's system as taught by Schneier (2:44-58). 

As per claim 28 this is an apparatus version of the claimed system discussed above in 
claim 30 wherein all claimed limitations have also been addressed and/or cited as set forth above. 

As per claim 32: 

Shostack further discloses a system in which the first server mechanism is also 
configured to determine the anomaly based on at least information regarding previously 
determined anomalies (9:56-63, wherein the database contains a log of all of the previous 
security vulnerabilities which function as anomalies). 

As per claim 33: 

Shostack further discloses a system in which the second server mechanism is also 
configured to transmit notice of the anomaly in real time to other client locations that may 
communicate with the server over the network (6:58-59, wherein information about the network 
status includes anomalies found). 

As per claim 34: 

Shostack further discloses a system further comprising a firewall located between the 
client terminals and the server and configured to act as an intermediary for information flowing 
between the client terminals and the server (4:19-24, since the server is remotely connected to 



Application/Control Number: 1 0/0 1 0,743 Page 1 1 

Art Unit: 2132 

the network 20 (9:13-14; fig 2, item 20), the placement of the firewall makes it an intermediary 
between the external server and the client, therefore, the firewall's functionality as a filter shows 
that information flows between the server and client). 

5. Claims 45, 50 and 5 1 rejected under 35 U.S. C. 103(a) as being unpatentable over 
Shostack et al. (Shostack), U.S. Patent No. 6,298,445 in view of Porras et al, (Porras), U.S. 
Patent No. 6,704,874 in view of Schneier as applied to claim 28 and further in view of Shipley 
(U.S. 6,119,236). 

As per claims 45: 

Shipley further discloses a method further comprising storing and performing complex 
analysis of anomaly trends by using a complexity theory mechanism (5:58-6:3). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to combine the inventions of Shostack and Porras with the invention of Shipley 
because each uses firewalls in their own inventions individually and utilizing Shipley's real time 
dynamic programming of the firewalls would allow the firewalls to better protect their respective 
networks since it would constantly be modified to account for the newest threats (Shipley, 2:56- 
65). 

As per claims 50 and 5 1 : 

Shipley further discloses a method further comprising updating, in real time, a firewall 
protecting the client location to account for the anomaly (7:58-8:41). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to combine the inventions of Shostack and Porras because in order to make a system 
less vulnerable to attack as stated in Shostack (2:18-28), not only do vulnerabilities updates need 
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to be disseminated, but tracking the hacker who breached the security is also essential in the 
security of a system against intrusions in order t ensure that the same person cannot do so again. 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to combine the inventions of Shostack and Porras with the invention of Shipley 
because each uses firewalls in their own inventions individually and utilizing Shipley's real time 
dynamic programming of the firewalls would allow the firewalls to better protect their respective 
networks since it would constantly be modified to account for the newest threats (Shipley, 2:56- 
65). 

6. Claims 4, 12 and 3 1 rejected under 35 U.S.C. 1 03(a) as being unpatentable over Porras in 
view of Shostack in view of Schneier as applied to claims 1 , 9, 23, 26 and 30 above and further 
in view of Baker, U.S. Patent No. 6,775,657. 
As per claim 4: 

Porras and Shostack fail to teach a method further comprising inspecting a packet that 
arrives at the client location to detect the possible security problem. However, Baker discloses a 
method wherein a network based intrusion detection system analyzes network packet data to 
make security decisions (1:41-42; 46-53). It would have been obvious to one of ordinary skill in 
the art at the time of applicant's invention to analyze a packet that arrives at the client in order to 
make security decisions because this would make the intrusion detection system scale well for 
network protection since it is the amount of traffic that determines performance, therefore it 
would also be easier to control and improve performance of the network as a whole (1 :53-60). 
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As per claim 12, this is a computer readable medium version of the claimed method 
discussed above in claim 4 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

As per claim 3 1 : 

Porras and Shostack fail to teach a system in which the first mechanism is also 
configured to monitor packets that arrive at the client terminal for the possible security problem. 
However, Baker discloses a method wherein a network based intrusion detection system 
analyzes network packet data to make security decisions (1 :41-42; 46-53). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to analyze a packet that arrives at the client in order to make security decisions because 
this would make the intrusion detection system scale well for network protection since it is the 
amount of traffic that determines performance, therefore it would also be easier to control and 
improve performance of the network as a whole (1 :53-60). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 
7. Claims 5, 13 and 35 rejected under 35 U.S.C. 103(a) as being unpatentable over Porras in 
view of Shostack in view of Schneier as applied to claims 1, 9 and 30 above and further in view 
of Bowman- Amuah, U.S. Patent No. 6,697,824. 

As per claim 5 : 

Porras and Shostack fail to teach a method in which the network includes a virtual private 
network. However, Bowman- Amuah discloses a method wherein a network is protected from 
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unauthorized access through the encryption services provided by Virtual Private Networking 
(75:64-65, fig 36). It would have been obvious to one of ordinary skill in the art at the time of 
applicant's invention to include a virtual private network with the network because of the added 
security benefits a VPN affords a system against unauthorized users. 

As per claim 13, this is a computer readable medium version of the claimed method 
discussed above in claim 5 wherein all claimed limitations have also been addressed and/or cited 
as set forth above. 

As per claim 35: 

Porras and Shostack fail to teach a system in which at least one of the firewalls includes a 
corporate server. However, Bowman- Amuah discloses a method wherein a corporate firewall 
includes a corporate server at a corporate headquarters (75:65-66; 76:19-23). It would have been 
obvious to one of ordinary skill in the art at the time of applicant's invention to include a 
corporate server with the firewall because if the intrusion detection system were to be used in a 
business setting the firewalls would provide increased access control for the internal network 
(76:21-23). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to perform theses actions in real time in order to provide the most up to date security 
information and to remedy the problem as quickly as possible as recited in Shostack (2:31-47). 
8. Claims 42 and 52 rejected under 35 U.S.C. 103(a) as being unpatentable over Shostack 
(U.S. 6,298,445) in view of Lyle (U.S. 6,886,102) and further in view of Moran, U.S. Patent No. 
6,826,697. 

As per claim 42: 
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Shostack discloses a method comprising: 

detecting a possible security problem at a client location (6:43-46, wherein an intrusion is 
a possible security problem); 

transmitting notice of the possible security problem across a network in real time to a 
home location remotely located from the location (6:53-57, wherein sending an alarm functions 
as transmitting notice of the possible security problem and the system administrator resides at a 
home location which is the local server); 

transmitting notice of the anomaly in real time to the client location (7:57-63; 9:10-21, 
wherein the software enhancement being sent is the notice of the security vulnerability, which 
functions as the anomaly). 

Shostack fails to teach determining at the home location an anomaly by at least 
comparing the possible security problem with information previously logged at the home 
location, including searching for an unexpected login. However, Lyle discloses a method 
wherein the event, which consists of an attack, is compared to other events that have occurred 
(7:50-8:11). 

Shostack and Lyle fail to teach a method in which determining the anomaly comprises 
searching for an unexpected login. However, Moran discloses a method wherein failed login 
attempts are logged (19:41-20: 18). A failed login attempt is an unexpected login since it is not 
a correct login. The login is not expecting for the login information to be wrong, therefore a 
failed login qualifies as an unexpected login by an unexpected user. 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to combine the inventions of Shostack and Lyle with Moran because in order to make a 
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system less vulnerable to attack as stated in Shostack (2: 1 8-28), the ability to detect further types 
of attacks such as forward and backward time steps in a log file or an overflow buffer attack as 
stated in Moran (4:1-37) would increase the security against attacks as a whole. 
9. Claims 29, 30, 32-34, 46, 47 and 49 rejected under 35 U.S.C. 103(a) as being 
unpatentable over Shostack et al. (Shostack), U.S. Patent No. 6,298,445 in view of Porras et al, 
(Porras), U.S. Patent No. 6,704,874 in view of Schneier as applied to claims 30, 28 and 40 above 
and further in view of Lyle, U.S. Patent No. 6,886,102. 
As per claim 29: 

Lyle further discloses an apparatus in which the first mechanism also determines the 
anomaly based on at least information regarding previously determined anomalies (7:66-8:1 1). 
As per claim 46: 

Lyle further discloses a method wherein a wide view mechanism such as an analysis 
framework module, collects and maintains information regarding events reported to the server 
(7:50-65) which includes a statistics mechanism to compute and store records of events (8:12- 
20). 

As per claims 47 and 49: 

Lyle further discloses a method further comprising a statistics mechanism to compute and 
store records of anomalies (8:12-39). 

It would have been obvious to one of ordinary skill in the art at the time of applicant's 
invention to combine the inventions of Shostack Porras and Lyle because in order to make a 
system less vulnerable to attack as stated in Shostack (2:18-28), not only do vulnerabilities 
updates need to be disseminated, but tracking the hacker who breached the security is also 
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essential in the security of a system against intrusions in order t ensure that the same person 
cannot do so again. 



Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to KRISTIN D. SANDOVAL whose telephone number is (571)272- 
7958. The examiner can normally be reached on Monday - Friday, 8:00-5:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 
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